cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional access policy & IPv6

%3CLINGO-SUB%20id%3D%22lingo-sub-1737586%22%20slang%3D%22en-US%22%3EConditional%20access%20policy%20%26amp%3B%20IPv6%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1737586%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3EI%20created%20a%20conditional%20access%20policy%20to%20block%20all%20locations%2C%20excluding%20Australia%20and%20Singapore.%20This%20works%20great%20for%20users%20logging%20in%20using%20IPv4%2C%20however%20it%20blocks%20those%20using%20IPv6.%20I%20logged%20a%20call%20with%20MS%20and%20got%20confirmation%20that%20%22at%20the%20moment%20by%20Design%2C%20the%20Countries%20tab%20in%20Conditional%20Access%20feature%20does%20not%20include%20IPV6%20addresses%20option.%20It%20only%20covers%20IPV4.%22.%3C%2FP%3E%3CP%3EOne%20of%20the%20largest%20ISPs%20(if%20not%20the%20largest)%20here%20in%20Australia%20uses%20dynamic%20IPv6%20by%20default!%20Loction%20can't%20be%20be%20mapped%20to%20Australia%2C%20so%20conditional%20access%20blocks%20the%20sign%20in!%3C%2FP%3E%3CP%3EWhy%20can't%20Conditional%20Access%20do%20an%20IPv6%20lookup%3F%20Thats%20what%20the%20team%20over%20at%20APNIC%20do%3F%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20the%20matter%3F%3C%2FP%3E%3CP%3ETa.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1737586%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eipv6%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1738163%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20access%20policy%20%26amp%3B%20IPv6%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1738163%22%20slang%3D%22en-US%22%3EUnfortunately%20there%20isn't%20much%20to%20say.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20agree%20that%20IPv6%20support%20is%20needed.%20But%20as%20of%20now%2C%20it's%20not%20supported%20in%20Conditional%20Access.%3CBR%20%2F%3E%3CBR%20%2F%3EMicrosoft%20is%20aware%20of%20this%2C%20but%20I%20don't%20know%20of%20any%20timeline%20when%20this%20will%20be%20implemented%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1743971%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20access%20policy%20%26amp%3B%20IPv6%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1743971%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BHi%20there%26nbsp%3BThijs.%20What%20I've%20had%20to%20do%20is%20to%20create%20a%20named%20location%20and%20tick%20the%20%22%26nbsp%3BInclude%20unknown%20areas%22%20option.%20I've%20added%20this%20location%20as%20an%20exclusion%20to%20the%20policy.%20Not%20ideal%2C%20but%20any%20IPv6%20traffic%20should%20now%20be%20allowed.%3C%2FP%3E%3C%2FLINGO-BODY%3E
shane_foley
New Contributor

‎Oct 01 2020 06:17 PM

‎Oct 01 2020 06:17 PM

Conditional access policy & IPv6

Hi there,

I created a conditional access policy to block all locations, excluding Australia and Singapore. This works great for users logging in using IPv4, however it blocks those using IPv6. I logged a call with MS and got confirmation that "at the moment by Design, the Countries tab in Conditional Access feature does not include IPV6 addresses option. It only covers IPV4.".

One of the largest ISPs (if not the largest) here in Australia uses dynamic IPv6 by default! Loction can't be be mapped to Australia, so conditional access blocks the sign in!

Why can't Conditional Access do an IPv6 lookup? Thats what the team over at APNIC do?

Any thoughts on the matter?

Ta.

Labels:
3,851 Views
1 Like
3 Replies
Reply
3 Replies
Thijs Lecomte

‎Oct 02 2020 12:22 AM

‎Oct 02 2020 12:22 AM

Re: Conditional access policy & IPv6

Unfortunately there isn't much to say.

I agree that IPv6 support is needed. But as of now, it's not supported in Conditional Access.

Microsoft is aware of this, but I don't know of any timeline when this will be implemented
0 Likes
Reply
shane_foley

‎Oct 04 2020 04:55 PM

‎Oct 04 2020 04:55 PM

Re: Conditional access policy & IPv6

@Thijs Lecomte Hi there Thijs. What I've had to do is to create a named location and tick the " Include unknown areas" option. I've added this location as an exclusion to the policy. Not ideal, but any IPv6 traffic should now be allowed.

0 Likes
Reply
Todd_Kearney

‎Apr 23 2021 07:08 AM

‎Apr 23 2021 07:08 AM

Re: Conditional access policy & IPv6

@shane_foley Not sure what your location is, or what you are trying to block, but for us we are in the US and trying to block non-US connection attempts.    To accomplish this we setup a location for US IPv6 addresses and added all of the US IPv6 blocks:

2001:4800::/23
2001:0400::/23
2001:1800::/23
2001:4800::/23
2600:0000::/12
2610:0000::/23
2620:0000::/23
2630:0000::/12
0 Likes
Reply